Practically speaking, I think the attackers just focus on the 95% (or whatever percent it is) that don't have 2FA enabled. No reason to worry about the 5% who do.

This all changes if they are targeting a specific individual, or if one day everyone has 2FA enabled.